Synology says SynoLocker hasn't hit NAS servers on DSM 5.0

The nasty SynoLocker ransom ware that has hit scores of Synology network attached storage devices appears to have exploited a flaw that was patched in December.

Earlier this week it was unclear exactly how SynoLocker cryptographic ransomware latched on to Synology devices. Users on Sunday reported finding a message from the crypto-ransomware operators demanding 0.6 Bitcoin -- or around $350 -- for the decryption key. Victims would need to install a Tor browser to access the hidden website where they could make the payment and receive the key. 

According to Synology, user reports so far indicate that the attack only affects Synology NAS devices running version 4.3 of its DiskStation Manager (DSM) and not DSM 5.0, which included fixes released last December for two critical flaws that give unauthorised access via the Windows File Service and File Station.

The two vulnerabilities were assigned the identifiers CVE-2013-4475 and CVE-2013-6987.

  • a weakness that allows remote attackers to bypass intended file restrictions and access data in unauthorized areas. (CVE-2013-4475)
  • a weakness that allows remote attackers to access arbitrary data via a “..” (going back up one level) in the filepath in multiple Web API CGIs. (CVE-2013-6987)

"Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM, by exploiting a security vulnerability that was fixed in December, 2013, at which time Synology released patched software and notified users to update via various channels. The DSM 4.3-3810 Update 3 patch addressed two security vulnerabilities -- CVE-2013-4475 and CVE-2013-6987. At present, we have not observed this vulnerability in DSM 5.0," Synology said in a statement. 

"Therefore we'd like to urge our users to update their Synology NAS.  Furthermore, to prevent spread of the issue we have only enabled QuickConnect and Synology DDNS service to secure versions of DSM.  You may find more information about the symptoms and our call to actions here."

The company also referred user to its article containing tips for hardening their Synology NAS.

Read more: Synology users told to update DiskStation NAS drives after 'SynoLocker' ransom attack

The update from Synology could be good news for anyone running the older version of DSM who hasn't been affected, but it offers little comfort to victims of the attack who may never recover their files.

Some alleged victims claim to have received the decryption key after making a payment, while others say they had not received the key after payment.   


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags newssynologyexploitsSynoLockernetwork attached storage devicesNAS servers

More about NASSynology

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts